[Snort-users] Snort syslog message format

Erek Adams erek at ...950...
Wed Jan 8 08:45:03 EST 2003


On Tue, 7 Jan 2003, Douglas Corner wrote:

> Is there documentation describing what is posted to syslog?  There seem to
> be several message formats, one for when rules fire and different formats
> for pre-processors.  I am doing some programming to process Snort syslog
> messages and would like to be precise and complete.

Well, there only real docs on that is the source.

And yes, there are 'different formats'.  Many moons ago there was no real
format for the output from plugins.  That's starting to become more and
more standardized.

Keep in mind the basic format is the same:  [xx:yyy:zz] <message>
Where xx is the Generator ID (GID), yyy is the Snort ID (SID), and zz is
the Revision of the SID.

Hope that helps!

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson




More information about the Snort-users mailing list